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Related Appeals and Interferences 

There are no related appeals or interferences that will directly affect, be directly 
affected by or have a bearing on the present appeal. 

Status of Claims 

Claims 1 to II, 13 to 33 and 35 to 42 arc presently pending in this application. 

Claim 3 1 stands rejected under 35 U.S.C. 1 01 as being directed to non-statutory 
subject matter. Applicant hereby requests that Claims 3 1 and 32 be cancelled- 

Clainns 1 3 to 30 and 38 to 42 stand rejected under 35 U S.C. 1 02(b) as being 
anticipated by Ford et al. (U.S. Patent 5,481,613). Claims 1 to 1 1 and 31 to 47 stand 
rejected under 35 U.S.C. 103 as being unpatentable over Ford 

The present appeal is directed to claims 1 to 1 1, 13 to 30 and 35 to 42. 

Status of Amendments 

The Appellant filed an amendment to claim 3 1 in reply to the Final Office Action 
on May 1 1 , 2006. In an Advisory Action of June 7, 2007, it was stated this amendment 
would not be entered. 

Applicant hereby submits an amendment cancelling claims 3 1 and 32. The 
claims, as amended, are enclosed herewith in the Appendix of Claims. 

Summary of Claimed Subject Matter 

The invention is embodied in the fi *e appealed independent claims, namely 
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claims 1, 13,29, 30,33 and 38. 

Claim 1 is directed to a method for a decryptor 12 to obtain a decryption key from 
a key release agent 14. The decryptor obtains an encryption block 56, generates a key 
release request 64 and outputs the key release request 64 to the key release agent 14. "Hie 
encryption block 12 comprises a data ciphertext 44 requiring a decryption key to decrypt, 
key relaLed information (page 18 lines 8 to 13) associated with a first {public key, private 
key} pair, and a key ciphertext consisting of the decryption key encrypted by the first 
public key. The encryption block 12 does not include an ACD (access controlled 
decryption) block. The key release request 64 contains the key ciphertext and the key 
related information. The key release request 64 is for use by the key release agent 1 4 to 
locate decryptor authorization logic (page 1 5 lines 2 to 3) stored externally to the key 
release request. The logic is to be applied in determining whether or not to release the 
decryption key. If the decryption key is to be release, the decryptor receives a key release 
response 66 specifying the decryption key. (Sec also page 7 line 24 to page 8 line 9 and 
page 13 line 6 to page 14 line 7). 

Claim 1 3 is directed to a key release method. A key ciphertext and key related 
information are received from decryptor 12. The key related information is in respect of 
a key used to encrypt the key ciphertext. Decryptor authorization logic (page 1 5 lines 2 
to 3) stored externally to the decryptor is located with use of the key related information. 
Decryptor information (page 18 lines 1 5 to 23) with respect to the decryptor is located. 
Whether decryption of the key ciphertext is to be permitted is decided. The decision is 
based on the decryptor information and the decryptor information logic. (See page 5 
lines 9 u> 16; page 16 line 23 to page 18 line 4). 

Claim 29 is directed to a method of controlling access to a decryption key. A key 
release request 64 is received from a decryptor 12. The request comprises decryptor 
information (page 18 lines 15 to 23) and the decryption key encrypted using a public key. 
Decryption authorization logic (page 15 lines 2 to 3) stored externally to the request is 
located with the use of the public key. The logic is applied to the decryption information 
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to determine whether the decryptor should he permitted access to the decryption key. If 
the decryptor is to be permitted access, a key release 66 response specifying the 
decryption key is sent. (See page 6, lines 25 to page 7 line 19; page 14 lines 8 to J 8). 

Claim 30 is directed to a method of controlling access to a decryption key. The 
method comprises a first step of maintaining a private key repository. The private key 
repository 82 comprises a plurality of access identifiers, and for each access identifier at 
least one key related information of a respective (public key, private key} pair 92. The 
repository also contains the private key for each {public key, private key} pair. (See 
Figures 4 and 5 and page 14 lines 8 to 23) Next the method comprises receiving a key 
release request 64 containing a decryption key encrypted using a public key of a { public 
key, private key} pair and containing a key related information associated with the 
{public key, private key} pair. (For example Steps 7-1 and 7-2 of Figure 7, page 16, 
lines 24 to 28) The method also comprises maintaining a repository 84 residing externally 
to the key release request associating each access identifier with respective decryptor 
authorization logic (page 1 5 lines 2 to 3) that can be applied to a decryptor information 
(page 18 lines 15 to 23). (See Figure 6 and Page 15, lines 5 to 25) The decryptor 
information is obLained and for each access identifier in association with which the key 
related information is stored, the respective decryptor authorization logic is applied to the 
decryptor information specified in the key release request. (Step 7-7, page 17 lines 10 to 
1 ) In the event the decryptor information satisfies at least one of the respective decryptor 
authorization logics, the ciphertext is decrypted to recover the decryption key and a key 
release response 66 is sent specifying the decryption key. (Step 7-13, page 17 lines 23 to 
26) 

Claim 33 is directed to a decryptor 12 comprising means for obtaining an 
encryption block 56, means for generating a key release request 64 and outputting the 
request to a key release agent 14, means for making decryptor information (page 1 8 lines 
15 to 23) available to the key release agent, and means for receiving a key release 
response 66. The encryption block comprise** a data ciphertext requiring a decryption 
key to decrypt, key related information (page 1 8 lines 8 to 1 3) associated with a first 
{public key, private key} pair and a key ciphertext consisting of the decryption key 
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encrypted by the first public key/ The encryption block does not include an ACD. The 
key release request contains the key ciphertext and the key related information. The 
decryptor information is for use by the key release agent to locate decryptor authorization 
logic (page 15 lines 2 to 3) stored externally to the key release request. The logic is to be 
applied in determining whether or not to release the decryption key. (See page 7 lines 20 
to 23 and page 12 lines 28 to page 13 line 15). 

Claim 38 is directed to a key release agent 14 comprising means lor receiving 
from a decryptor 12 a key cipher text and key related information (page 18 lines 8 to 13) 
in respect of a key used lo encrypt the key ciphertext, means for locating decryptor 
information (page 18 lines 15 to 23) stored externally to the decryptor with use of the key 
related information, means for locating decryptor information in respect of the decryptor, 
and means for deciding based on decryptor information and the decryptor authorisation 
logic (page 1 5 lines 2 to 3) whether decryption of the ciphertext is to be permitted. (Page 
14 line 8 to 18; page 15 lines 21 to 25). 

Grounds of Rejection to be Reviewed on Appeal 

Claims 13 to 30 and 38 to 42 are rejected under 35 U.S.C. 1 02(b) as being 
anticipated by Ford el al. (U.S. Patent 5,48 I ,61 3) (hereinafter "Ford"). 

Claims 1 to 1 1 and 31 to 47 are rejected under 35 U.S.C. 103 as being 
unpatentable over Ford. 

Argument 

35 U.S.C. 102(b) 

I . Independent Method Claim 1 3 

It is respectfully submitted that the Examiner's rejection of claim 13 is erroneous, 
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for the following reasons. 

The Examiner alleges that the feature of "locating decryptor authorization logic 
stored externally to the decryptor with use of the key related information" is disclosed in 
Ford in Figure 2 and at column 6, lines 13 to 17 and 53 to 55 and that the feature of 
"obtaining decryptor information in respect of the decryptor" is disclosed in Ford at 
column 6, lines 56-66. The referenced passages of Ford refer to obtaining "decryptor 
privilege attribute information" and provide examples of what that information can 
include. These include: authenticated idcntity > group membership, role membership, and 
clearance information. The Examiner has inferred that the decryptor privilege attribute 
information of Ford is analogous to both the decryptor authorization logic and the 
decryptor information recited in claim 13. Lines 55-66 simply provide examples of the 
decryption privilege attribute information disclosed on lines 50-55. Therefore, both 
passages are referring to the same thing. With all due respect, this interpretation of the 
claims and prior art results in the illogical result of the decryptor authorization logic and 
the decryptor information having the same meaning. This is clearly an error. 

The terms "logic" and "information"' have been used by the Applicant throughout 
the claims and description in different contexts and it is clear that these terms are 
intended to have different meanings- For example, the limitation of "deciding based on 
the decryptor information and the decryptor authorization logic ..." in claim 13 would be 
nonsensical if these two terms did not have different meanings. In any event, the 
ordinary meaning of these terms, as understood by a person skilled in the art arc clearly 
different. Information docs not have any functionality, whereas logic can be applied to 
information or data to achieve a result. 

As explained on page 1 3 of our response of December 1 3, 2005, the decryptor 
privilege attribute information is clearly not * v decryptor logic". The following passage 
from Ford referred to on that page of the response, makes it clear that the decryptor 
attribute information is simply data that is used as the basis for a comparison: 
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'This decryptor privilege attribute information may be just the decryptor's 
authenticated identity, which may be obtained in one embodiment through the key 
release transaction request using a suitable authentication mechanism. In another 
embodiment, more extensive decryptor privilege attribute information, e,g,, 
group-membership* role-membership, or clearance information may be supplied 
by the decryptor in a certified form, e.g., a privilege attribute certificate signed by 
a trusted third party, or, in a yet further embodiment, the KRA may obtain 
decryptor privilege attributes from a supporting database as shown by a dotted 
line in FIG. 2. " 

It is clearly wrong to interpret "decryptor privilege attribute information" to be 
analogous to "logjc" that can be applied to data, as the Examiner has done in the 
Advisory Action. On page 1 5 of the description of the present invention, in describing a 
specific embodiment, it is stated on lines 1-4 that: "Each access identifier is associated 
with a set of rules (more generally, is associated with respective decryptor authorization 
logic)". Clearly, a set of rules is an example of logic. However, the "decryptor privilege 
attribute information", as used in the context of Ford could not be used to describe a set 
of rules. 

Therefore, the essential feature of "locating decryptor authorization logic stored 
externally to the decryptor** in claim 13 is not disclosed by the prior art and thus the test 
for anticipation has not been met. It is thus respectfully submitted that claim 1 3 is in 
compliance with 35 U.S.C. 102(b). 

2- Dependent Claim 14 

Claim 14 depends from claim 13 and defines the additional limitation of the 
decryptor information being received from the decryptor together with the key ciphertext 
and key related information. 
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Claim 14 incl udes the inventive features of claim 13 and therefore, it is 
respectfully submitted that claim 14 is novel over Ford for at least the reasons given with 
respect lo claim 13. 

Furthermore, it is submitted that the additional limitation recited in claim 14 is not 
disclosed in the cited passage of Ford, i.e. Figure 2, step 34, column 6, line 40 to column 
7, line 49. The cited passage does not disclose obtaining the decryptor information from 
the decryptor nor receiving it together with key ciphertext and key related information. 
At lines 42 to 43 of column 6, Ford stales that: "The KKA will also obtain decryptor 
privilege information". This leads the reader to understand that the decryptor privilege 
information is obtained in addition to the other information but not at the same time or 
from the same place. In fact, in the specific embodiment shown in Figure 2, the 
decryptor privilege information is obtained from a supporting database. 

Therefore, it is respectfully submitted that claim 14 is in compliance with 35 
U.S.C. 102(b). 

3. Dependent Claim 1 5 

Claim 15 depends from claim 13 and defines the additional limitation of receiving 
the decryptor information while establishing a secure connection with the decryptor. 

Claim 15 includes the inventive features of claim 13 and therefore, it is 
respectfully submitted that claim 15 is novel over Ford for at least the reasons given with 
respect to claim 13. 

In addition, it is submitted that the additional limitations recited in claim 1 5 are 
not disclosed in the cited passage of Ford, i.e. Figure 2, step 34, column 6, line 40 to 
column 7, line 49. As stated with respect to claim 14, the cited passage of Ford does not 
disclose obtaining the decryptor information from the decryptor . Furthermore, there is no 
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disclosure in the cited passage of establishing a secure connection with the decryptor 
while obtaining the decryptor information. 

Therefore, it is respectfully submitted that claim 1 5 is in compliance with 35 
U.S.C. 102(b). 

4. Dependent Claim 16 

Claim 1 6 depends from claim 13 and defines the additional limitations of 
receiving from the decryptor a decryptor identifier and using the decryptor identifier to 
lookup decryptor attibutes from a public repository, the decryptor identifier and decryptor 
attributes together constituting the decryptor information. 

Claim 16 includes the inventive features of claim 13 and therefore, it is 
respectfully submitted that claim 16 is novel over Ford for at least the reasons given with 
respect to claim 13. 

In addition, it is submitted that the additional limitations recited in claim 16 are 
not disclosed in the cited passage of Ford, i.e. Figure 2, step 34, column 6, line 40 to 
column 7, line 49. As stated with respect to claim 14, the cited passage of Ford docs not 
disclose obtaining the decryptor information from the decryptor . As well, the cited 
passage of Ford does not disclose using a decryptor identifier to lookup decryptor 
attributes. What is disclosed in column 6, lines 42 to 65 of Ford is that decryptor 
privilege attribute information can include the decryptor ? s authentication identity and that 
the attributes may be obtained from a supporting database. The use of an identifier to 
lookup other attributes is not disclosed. 

Therefore, it is submitted that claim 16 is in compliance with 35 U.S.C. 102(b). . 
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5. Dependent Claim 19 

Claim 19 depends from Claim 17 and defines the additional limitation of 
receiving the certificate together with the key ciphertext and key related information. 

Claim 19 includes the inventive features of claim 13 and therefore, it is 
respectfully submitted Lhat claim 19 is novel over Ford for at least the reasons given with 
respect to claim 13. 

Furthermore, it is submitted that the additional limitations recited in claim 19 arc 
not disclosed in the cited portions of Ford At lines 42 to 43 of column 6, Ford states 
that: "The KRA will also obtain decryptor privilege information". This leads the reader 
to understand that the information, which could include a certificate is obtained in 
addition to the other information but not together with U. 

Therefore, it is respectfully submitted that claim 19 is in compliance with 35 
U.S.C. 102(b). 

6. Dependent Claims 25. 26 and 27 

Claim 25 depends from claim 13 and defines the further limitations of receiving a 
plurality of key eiphertexts and respective key related information from the decryptor and 
determining whether at least one private key required to decrypt a respective at least one 
key ciphertext of the plurality of key eiphertexts is available; using the respective key 
related information to locate respective decryptor authorization logic stored externally to 
the decryptor; and upon determining such at least one private key is available, deciding 
based on the decryptor information and the respective decryptor authorization logic 
whether decryption of at least one of the plurality of key eiphertexts is permitted. 

Claim 25 includes the inventive features of claim 13 and therefore, it is 
respectfully submitted that claim 25 is novel over Ford for at least the reasons given with 
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respect to claim 13. 

Furthermore, it is submitted that the cited passages of Ford do not disclose the 
additional limitations of claim 25. In particular, column 6 lines 24 to 40 do not discuss 
the availability of the private key. Because Ford does not disclose decryptor 
authorization "logic*', as discussed with reference to claim 13, it also does not disclose 
using key related information, to locate the logic nor does it disclose deciding based on 
the logic in combination with decryptor information whether decryption is permitted. 

Claims 26 and 27 depend from claim 25 and include the inventive features of 
claim 25 and therefore are novel over Ford for at least the reasons given with respect to 
claim 25. 

Therefore, it is respectfully submitted that claims 25 to 27 are in compliance with 
35 U.S.C 102(b). 

7. Dependent Claim 28 

Claim 28 depends from claim 1 3 and defines the further limitation that deciding 
based on decryptor information of the decryptor and the decryptor authorization logic 
whether decryption of the key ciphertext is to be permitted comprises applying at least 
one rule of the decryptor authorization logic associated with the public key used to 
encrypt the decryption key to the decryptor information to determine whether the 
decryplror should be permitted access to the decryption key. 

Claim 28 includes the inventive features of claim 1 3 and therefore, it is 
respectfully .submitted that claim 28 is novel over Ford for at least the reasons given with 
respect to claim 13. Furthermore, making a decision based on logic that is not disclosed 
is necessarily also not disclosed. 
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Therefore, it is respectfully submitted that claim 28 is in compliance with 35 
U.S.C 102(b). 

8- Dependent Claims 17. 18 and 20 to 24 

Dependent Claims 17, I8 > and 20 to 24 depend either directly or indirectly from 
claim 13 and thus include Ihe inventive features of claim 13. Therefore, it is respectfully 
submitted that claims 17, 18, and 20 to 24 arc novel over Ford for at least the reasons 
given with respect to claim 13 and thus are in compliance with 35 U.S.C. 102(b). 

9, Independent Claim 29 

Independent claim 29 also contains the limitation of 'locating decryptor 
authorization logic stored externally to the decryptor"- As explained with respect to 
independent claim 13, this feature is not disclosed in Ford 

Furthermore, claim 29 recites "applying the decry ptor authorization logic lo 
encrypt the decryption key lo the decryptor information to determine whether the 
decryptor should be permitted access to the decryption key". The passage of Ford cited 
by the Examiner as disclosing this feature, namely Figure 2 and column 7, lines 35 to 49, 
actually discloses the application of Access Control Attributes (ACA) with the decryptor 
privilege attributes- The ACA is included in the ACD block with the key-release request 
- not stored externally. Ford does not disclose applying logic retrieved from an external 
storage. Therefore, l ord does not disclose all of the essential features of this claim and 
the test for anticipation has not been met 

Thus, it is respectfully submitted that claim 29 is in compliance with 35 U.S.C. 

102(b). 

10. Independent Claim 30 

Regarding independent claim 30, this claim is hereby cancelled. 
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11. Independent Claim 38 

With respect to independent claim j8, it recites "means for locating decry ptor 
authorization logic stored externally to the decryptor" and "means tor deciding based on 
decrypior information of the decryptor and the decryptor authorization logic". These arc 
means for implementing the method steps of claim 13 and therefore the claim is novel 
over Ford for at least the same reasons given with respect lo that claim. Specifically, Ford 
docs not disclose "decryptor authorization logic stored externally to the decryptor". 

Thus, it is respectfully submitted diat claim 38 is in compliance with 35 U.S.C. 

102(b). 

12. Dependent Claim 39 

Claim 39 depends from claim 38 and defines the further limitation that the key 
release agent is adpated to receive the decrypior information with the key ciphertext and 
key related information. 

Claim 39 includes the inventive features of claim 38 and therefore, it is 
respectfully submitted that claim 39 is novel over Ford for at least the reasons given with 
respect to claim 38. 

Furthermore, it is submitted that the additional limitation recited in claim 39 is not 
disclosed in the cited passage of Ford, i.e. Figure 2, and column 6, lines 24 to 40. The 
cited passage does not disclose obtaining the decryptor information from the decryptor 
nor receiving it together with key ciphertext and key related information. 

Therefore, it is respectfully submitted that claim 39 is in compliance with 35 

U.S.C. 102(b). 

13. Dependent Claim 40 

Claim 40 depends from claim 38 and defines the further limitation of the key 
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relcasc agent being adapted to use a decrypior identifier to lookup decryptor attributes 
from a repository, the decryptor identifier and the decryptor attributes together 
constituting the decrpyptor information. 

Claim 40 includes the inventive features of claim 38 and therefore, it is 
respectfully submitted that claim 40 is novel over Ford for at least the reasons given with 
respect to claim 38. 

Tn addition, it is submitted that the additional limitations recited in claim 40 are 
not disclosed in the cited passage of Ford, i.e. column 6, lines 42 to 65. The cited passage 
of Ford docs not disclose obtaining the decryptor information from the decryptor . As 
well, the cited passage of Ford does not disclose using a decryptor identifier to lookup 
decryptor attributes. What is disclosed in column 6, lines 42 to 65 of Ford is that 
decryptor privilege attribute information can include the decryptor' s authentication 
identity and that the -attributes may be obtained from a supporting database- The use of 
an identifier to lookup other attributes is not disclosed. 

Therefore, it is submitted that claim 40 is in compliance with 35 U.S.C. 102(b). 

14. Dependent Claim 41 

Claim 41 includes the inventive features of claim 38 and therefore, it is 
respectfully submitted that claim 4 1 is novel over Ford for at least the reasons given with 
respect to claim 38 and in compliance with 35 U.S.C. 102(b). 

15. Dependent Claim 42 

Claim 42 depends from claim 38 and defines the further limitation of a means for 
applying decryptor authorization logic associated with each public key used to encrypt 
the decryption key 10 the decryptor information for determining whether the decryptor 
should be permitted access to the decryption key. 
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Clakn 42 includes the inventive features of claim 38 and therefore* it is 
respectfully submitted that claim 42 is novel over Ford for at least the reasons given with 
respect to claim 38. Furthermore, applying logic that is not disclosed is necessarily also 
not disclosed. 

Therefore, it is respectfully submitted that claim 42 is in compliance with 35 
U.S.C. 102(b). 

35U.S.C 103 

16. Independent CkiflU 

Claims 1 also includes the feature of decryptor authorization logic stored external 
to the decryptor and therefore a prima facie case for obviousness has not been met 
because, all of the claim limitations have not been disclosed in the cited prior art. 

in particular, Claim 1 recites "the decryptor generating a key release request . . . 
for use by the key release agent to locate decryptor authorization logic stored externally 
to the key release that is to be applied". Once again, the passages from Ford cited by the 
Examiner disclose attribute information and not decryptor authorization logic. 

Therefore, it is rcspcctully submitted that a prima facie case for obviousness has 
not been made out and that claim 1 is in compliance with 35 U.S.C. 103. 

17. Dependent Claims 2. 3. 4. 6. 7. 8. 9. 10. 1 1 

Claims 2 to 4 and 6 to 1 1 include all of the inventive features of claim 1 
and therefore are inventive over Ford for a! least the reasons given with respect to 
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claim 1 . Therefore, it is respectfully submitted that claims 2 to 4 mid 6 to 1 1 arc 
in compliance with 35 U.S.C 103. 

18, Dependent Claim 5 

Claim 5 depends from claim 2 and defines the further limitation that the decryptor 
making the decryptor information available to the key release agent comprises the 
decryptor providing the decryptor information to the key release agent while establishing 
a secure connection with the key release agent. 

Claim 5 includes all of the inventive features of claim I and therefore is inventive 
over Ford for at least the reasons gi ven with respect to claim 1 . Furthermore, as 
submitted with reference to claim 15, the additional features claimed in claim 5 are not 
disclosed in Ford. Therefore, a prima facie case for obviousness has not been met and it 
is submitted that claim 5 is in compliance with 35 U.S.C. 103. 

19. Independent claim 33 

Claim 33 also includes the feature of decryptor authorization logic stored external 
to the decryptor and therefore a prima facie case for obviousness has not been met 
because all of the claim limitations have not been disclosed in the cited prior art. 
Therefore, for at least ihe reasons given with respect to claim 1 , it is respectfully 
submitted that claim 33 is in compliance with 35 U.S.C, 1 03. 

20. Dependent Claims 35 to 37 

Claims 35 to 37 include all of the inventive features of claim 33 and therefore are 
inventive over Ford for at least the reasons given with respect to claim 33. Thus, it is 
respectfully submitted that claims 35 to 37 are in compliance with 35 U.S.C. 103. 
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For the foregoing reasons, it is submitted that the Examiner's rejections are 
erroneous, and reversal of his decision is respectfully requested. 



Respectfully submitted, 
GLENN LANGFORD 
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Claims Appendix: 

1 (Previously presented) A method for a decryptor to obtain a decryption key from a key 
release agent comprising: 

a decryptor obtaining an encryption block comprising a data ciphcrtext 

requiring a decryption key to decrypt, the encryption block further comprising key related 

information associated with a first {public key, private key} pair, the encryption block 

further comprising a key ciphertext consisting of the decryption key encrypted by the first 

public key of the first {public key, private key} pair, the encryption block not including 

an ACD (access controlled decryption) block; 
* 

the decryptor generating a key release request containing the key 
ciphenexu and the key related information and outputting the key release request to the 
key release agent, the key release request tor use by the key release agent to locate 
decryptor authorization logic stored externally to the key release request that is to be 
applied in determining whether or not to release the decryption key; 

in the event the decryption key is to be released > the decryptor receiving a 
key release response specifying the decryption key. 

2> (Previously presented) A method according to claim 1 further comprising: 

the decryptor making decryptor iuformation available to the key release 
agent, the decryptor information for use by the key release agent in determining decryptor 
attributes, the decryptor attributes for further use in determining whether or not to release 
the decryption key. 

3, (Original) A method according to claim 1 farther comprising the decryptor using the 
decryption key to decrypt the data cipliertcxu 

4. (Original) A method according to claim I wherein the decryptor making the decryptor 
information available to the key release agent comprises including the decryptor 
information in the key release request. 
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5. (Previously presented) A method according to claim 2 wherein the dccryplor making 
the dccryplor information available to the key release agent comprises the decryptor 
providing the decryptor information to the key release agent while establishing a secui'e 
connection with the key release agent, 

6. (Previously presented) A method according lo claim 2 wherein the decryptor making 
the dccryplor information available to the key release agent comprises providing a 
decryptor identifier which may be used to look up decryptor attributes stored in a 
repository external to the key release request. 

7. (Original) A method according to claim 1 wherein the key related information 
comprises a key pair identifier. 

8. (Original) A method according to claim 1 further comprising: 

before generating the key release request, the decryptor determining i f the 
private key of the first {public key, private key) pair is available at the dccryplor; 

upon determining the private key of the first {public key, private key) pair 
is not available at the decryptor generating the key release request. 

9. (Original) A method aecording to claim 1 further comprising: 

decrypting at least a portion of the key release response containing an 
encrypted version of the decryption key using a private key of a second {public key, 
private key} pair to recover the decryption key. 

10. (Previously presented) A method according to claim 1 wherein the encryption block 
comprises a plurality of key related information associated with a respective plurality of 
first {public key, private key} pairs, and a respective plurality of key ciphertcxts each 
consisting of the decryption key encrypted by the public key of a respective one of the 
plurality of first {public key, private key} pairs associated with the plurality of key 
related information, the method comprising: 

generating the key release request containing the plurality of key 
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ciphertexts, and the associated plurality of key related information. 

1 1. (Original) A method according to claim 10 further comprising: 

before generating the key release request, determining if at least one 
private key of the plurality of Jirsi {public key, private key} pahs is available at the 
decryptor; 

upon determining none of the private keys of the plurality of first {public 
key, private key} pairs is available at the decryptor generating the key release request. 

12. (Cancelled) 

13. (Previously presented) A key release method comprising: 

receiving a key ciphertexi ard key related information in respect of a key 
used to encrypt the key ciphertext from a decryptor; 

locating decryptor authorization logic stored externally to the decryptor 
with use of the key related information; 

obtaining decryptor information in respect of the decryptor; 

deciding based on the decryptor information and the decryptor 
authorization logic whether decryption of the key ciphertext is to be permitted. 

14. (Original) A method according to claim 13 wherein the decryptor information is 
received from the decryptor together with the key ciphertext and key related information. 

15. (Original) A method according to claim 13 wherein obtaining decryptor information 
comprises receiving the decryptor information while establishing a secure connection 
with the decryptor. 

16. (Original) A method according to claim 13 wherein obtaining decryptor information 
comprises: 

receiving from the decryptor a decryptor identifier; 
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using the decryptor identifier to lookup decryptor attributes from a public 
repository, the decryptor identifier and decryptor attributes together constituting the 
decryptor information. 

1 7. (Original) A method according to claim 13 further comprising: 

using information in a certificate as the decryptor information. 

1 8. (Original) A method according to claim 17 further comprising: 

obtaining the certificate From a certificate- repository. 

19. (Original) A method according to claim 17 further comprising receiving the 
certificate together with the key eiphertext and key related information. 

20. (Original) A method according to claim 13 wherein the decryptor information is an 
identity or role of the decryptor, an alias, or a claim of access rights or privilege, or some 
other attribute of the decryptor of a corresponding decrypting device or platform. 

2 1 . (Original) A method according to claim 13 wherein the key related information 
comprises a key pair identifier. 

22. (Original) A method according to claim 13 further comprising: 

decrypting the key eiphertext, re-encrypting the key using a public key of 
a {public key, private key} pair to produce a re-encrypted key, the private key of which is 
available to the decryptor, and sending the re-encrypted key to the decryptor. 

23. (Original) A method according to claim 13 further comprising: 

decrypting the key eiphertext to obtain a decryption key; 
sending the decryption key to the decryptor over a secure channel. 

24. (Original) A method according to claim 1 3 further comprising: 

decrypting the key eiphertext to obtain a decryption key; 
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using a symmetric key available to the deeryptor, encrypting the 
decryption key with the symmetric key to produce an encrypted decryption key, and 
sending the encrypted decryption key to the decryptor 

25; (Previously presented) A method according to claim 13 further comprising: 

receiving a plurality of key ciphertcxts and respective key related 
information from the decryptor and determining whether at least one private key required 
to decrypt a respective at least one key ciphertext of the plurality of key ciphertcxts is 
available; 

using the respective key related information to locate respective decryptor 
authorisation logic stored externally to the decryptor; and 

upon determining such at least one private key is available, deciding based 
on the decryptor information and the respective decryptor authorization logic whether 
decryption of at least one of the plurality of key ciphertcxts is to be permitted. 

26. (Original) A method to claim 25 further comprising: 

decrypting one of the key ciphertexts using a corresponding private key to 
recover a decryption key. 

27. (Previously presented) A method according to claim 25 wherein deciding based on 
decryptor information of the decryptor and the respective decryptor authorization logic 
whether decryption of at least one of the key ciphertcxts is to be permitted comprises 
applying the respective decryptor authorization logic associated with each public key 
used to encrypt the decryption key to the decryptor information to determine whether the 
decryptor should he permitted access to the decryption key. 

28. (Previously presented) A method according to claim 13 wherein deciding based on 
decryptor information of the decryptor and the decryptor authorization logic whether 
decryption of the key ciphertext is to be permitted comprises applying at least one rule of 
the decryptor authorization logic associated with the public key used to encrypt the 
decryption key to the decryptor information to determine whether the decryptor should be 
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permitted access to the decryption key. 

29. (Previously presented) A method of controlling access to a decryption key 
comprising: 

receiving from a decryptor a key release request comprising decryptor 
information and the decryption key encrypted using a public key; 

locating decryption authorization logic stored externally to the key release 
request with use of the public key; 

applying the decryption authorization logic to the decryptor information to 
determine whether the decryptor should be permitted access to the decryption key; 

upon determining the decryptor should he permitted access to the 
decryption key, sending a key release response specifying the decryption key. 

30. (Previously presented) A method of controlling access to decryption keys 
comprising: 

maintaining a private key repository comprising a plurality of access 
identifiers, and for each access identifier at least one key related information of a 
respective { public key, private key} pair, the repository also containing the private key of 
each {public key, private key} pair; 

receiving a key release request containing a decryption key encrypted 
using a public key of a {public key, private key} pair and containing a key related 
information associated with the {public key, private key} pair; 

maintaining a repository residing externally to the key release request 
associating each access identifier with respective decryptor authorization logic that can 
be applied to a decryptor information; 

obtaining decryptor information; 

for each access identifier in association with which the key related 
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information is stored, applying the respecti /e decxyptor authorization logic to the 
decryptor information specified in the key release request; 

in tlie event the decryptor information satisfies at least one of the 
respective decryptor authorization logics, decrypting the ciphertcxt to recover the 
decryption key, and sending a key release response to the decryptor specifying the 
decryption key. 

31. (Cancelled) 

32. (Cancelled) 

33. (Previously presented) A decryptor comprising: 

means for obtaining an encryption block comprising a data ciphertext 
requiring a decryption key to decrypt, the encryption block further comprising key related 
information associated with a first {public key, private key} pair, the encryption block 
further comprising a key ciphertext consisting of the decryption key encrypted by the first 
public key of the first {public key, private key} pair, the encryption block not including 
an ACD (access controlled dectyption) block; 

means for generating a key release request containing the key ciphertext, 
and the key related information and outputting the key release request to the key release 
agent, 

means for making decryptor information available to the key release 
agent, the decryptor information for use by the key release agent to obtain decryptor 
authorisation logic stored externally to the key release request that is to he applied in 
determining whether or not to release the decryption key; 

means for receiving a key release response specifying the decryption key. 

34. (Cancelled) 

35. (Previously presented) A decryptor according to claim 33 further comprising means 
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for using the decryption key to decrypt the data ciphertext. 

36. (Original) A decryptor according to clani 33 adapted to make the decryptor 
information available to the key release agent by including the decryptor information in 
the key release request. 

37. (Original) A decryptor according to claim 33 further comprising means for 
decrypting at least a portion of the key release response containing an encrypted version 
of the decryption key using a private key of a second {public key, private key} pair to 
recover the decryption key. 

38. (Previously presented) A key release agent comprising: 

means for receiving from a decryptor a key ciphertext and key related 
information in respect of a key used to encrypt the key ciphertext; 

means for locating decryptor authorisation logic stored externally to Lhe 
decryptor with use of the key related information; 

means for obtaining decryptor information in respect of the decryptor; and 

means for deciding based on decryptor information of the decryptor and 
the decryptor authorization logic whether decryption of the key ciphertext is to be 
permitted. 

39. (Original) A key release agent according to claim 38 adapted to Teceive the decryptor 
information together with the key ciphertext and key related information. 

40. (Previously presented) A key release agent according to claim 38 adapted to use a 
decryptor identifier to lookup decryptor attributes from a repository, the decryptor 
identifier and decryptor attributes together constituting the decryptor information. 

41 . (Previously presented) A key release agent according to claim 38 further comprising: 

decrypting means for decrypting the key ciphertext; 
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encryption means for re-encrypting the key using a public key of a {public 
key, private key} pair to produce a re-encrypted key, the private key of which is available 
to the decryptor; 

means for sending the re-encrypted key to the decryptor. 

42. (Previously presented) A key release agent according to claim 38 further comprising: 

means for applying decryptor authorization logic associated with each 
public key used to encrypt the decryption key to the decryptor information for 
determining whether the decrypior should be permitted access to the decryption key. 
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Evidence Appendix: 



None. 
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Kdatcd Proceedings Appendix 



None 
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